The Cobit 4.1 IT governance framework produced by ISACA—the systems audit association—has thirty-four IT processes which include a considerable amount of information on exactly how to establish effect IT controls and, more importantly, successfully meet your IT compliance requirements. Sadly, some managers look at this effort in terms of just simply "passing" an audit. It's my view that successful implementation of IT compliance is really all about changing the behaviors of the members of your team and achieving improved quality and productivity. So how does one go about doing that in the real world of today's challenging corporate environment. This post will take a walk through each of the Cobit controls and discuss, in practical terms, how improved processes can be successfully implemented and supported. Obviously, this is not always easy and and I hope that you will read on and then drop me a line with your input on what works and what doesn't!
Each of the thirty-four IT processes described in the Cobit 4.1 framework contain a lot of useful information. Well actually there is lots of information and frankly some of it can be pretty hard to wade through. I have found some approaches work better than others. I would like to talk about this in my blog and solicit your input and war stories about what works and what doesn't.
For example, AI 6 - Manage Changes shows five tasks to be completed:
1. Develop and implement a process to consistently record, assess and prioritise change requests.
2. Assess impact and prioritise changes based on business needs.
3. Assure that any emergency and critical change follows the approved process.
4. Authorise changes.
5. Manage and disseminate relevant information regarding changes.
The real breakthrough comes from understanding the control objectives.
For example,
1. Develop, document and promulgate a change management framework that specifies the policies and processes, including:
• Roles and responsibilities
• Classification and prioritisation of all changes based on business risk
• Assessment of impact
• Authorisation and approval of all changes by the business process owners and IT
• Tracking and status of changes
• Impact on data integrity (e.g., all changes to data files being made under system and
application control rather than by direct user intervention)
2. Establish and maintain version control over all changes.
3. Implement roles and responsibilities that involve business process owners and appropriate technical IT functions. Ensure appropriate segregation of duties.
4. Establish appropriate record management practices and audit trails to record key steps in the change management process. Ensure timely closure of changes. Elevate and report to management changes that are not closed in a timely fashion.
5. Consider the impact of contracted services providers (e.g., of infrastructure, application development and shared services) on the change management process. Consider integration of organisational change management processes with change management processes of service providers. Consider the impact of the organisational change management process on contractual terms and SLAs.
